The complexity of pcre comes with a high price though: it has a
negative influence on performance. So, to mitigate Suricata from
having to check pcre often, pcre is mostly combined with ‘content’. In
that case, the content has to match first, before pcre will be
checked.

Format of pcre:

“/<regex>/opts”;

Example of pcre:

pcre:”/[0-9]{6}/”;

In this example there will be a match if the payload contains six
numbers following.

Example of pcre in a signature:

There are a few qualities of pcre which can be modified:

By default pcre is case-sensitive.

The . (dot) is a part of regex. It matches on every byte except for
newline characters.

R: Match relative to the last pattern match. It is similar to distance:0;

U: Makes pcre match on the normalized uri. It matches on the
uri_buffer just like uricontent and content combined with http_uri.U
can be combined with /R. Note that R is relative to the previous
match so both matches have to be in the HTTP-uri buffer. Read more
about HTTP-uri normalization.

I: Makes pcre match on the HTTP-raw-uri. It matches on the same
buffer as http_raw_uri. I can be combined with /R. Note that R is
relative to the previous match so both matches have to be in the
HTTP-raw-uri buffer. Read more about HTTP-uri normalization.

P: Makes pcre match on the HTTP- request-body. So, it matches on
the same buffer as http_client_body. P can be combined with /R. Note
that R is relative to the previous match so both matches have to be
in the HTTP-request body.

Q: Makes pcre match on the HTTP- response-body. So, it matches
on the same buffer as http_server_body. Q can be combined with
/R. Note that R is relative to the previous match so both matches
have to be in the HTTP-response body.

H: Makes pcre match on the HTTP-header. H can be combined with
/R. Note that R is relative to the previous match so both matches have
to be in the HTTP-header body.

D: Makes pcre match on the unnormalized header. So, it matches
on the same buffer as http_raw_header. D can be combined with
/R. Note that R is relative to the previous match so both matches
have to be in the HTTP-raw-header.

M: Makes pcre match on the request-method. So, it matches on the
same buffer as http_method. M can be combined with /R. Note that R
is relative to the previous match so both matches have to be in the
HTTP-method buffer.

C: Makes pcre match on the HTTP-cookie. So, it matches on the
same buffer as http_cookie. C can be combined with /R. Note that R
is relative to the previous match so both matches have to be in the
HTTP-cookie buffer.

S: Makes pcre match on the HTTP-stat-code. So, it matches on the
same buffer as http_stat_code. S can be combined with /R. Note that
R is relative to the previous match so both matches have to be in
the HTTP-stat-code buffer.

Y: Makes pcre match on the HTTP-stat-msg. So, it matches on the
same buffer as http_stat_msg. Y can be combined with /R. Note that
R is relative to the previous match so both matches have to be in
the HTTP-stat-msg buffer.

B: You can encounter B in signatures but this is just for
compatibility. So, Suricata does not use B but supports it so it
does not cause errors.

O: Overrides the configures pcre match limit.

V: Makes pcre match on the HTTP-User-Agent. So, it matches on
the same buffer as http_user_agent. V can be combined with /R. Note
that R is relative to the previous match so both matches have to be
in the HTTP-User-Agent buffer.

W: Makes pcre match on the HTTP-Host. So, it matches on the same
buffer as http_host. W can be combined with /R. Note that R is
relative to the previous match so both matches have to be in the
HTTP-Host buffer.